Trend Micro last month released a tool that could decrypt files encrypted by ransomware families and versions. Among these is the first version of Cerber, along with CryptXXX, BadBlock, and TeslaCrypt.

Trend Micro researcher named PanicAll said the Cerber ransomware author must have looked at the decryption code and found a way to get around it.

Files encrypted by Cerber2 get the .cerber2 extension, and the malware shows a new ransom message.

The encryption method has also changed: Cerber2 now uses the Microsoft API CryptGenRandom to generate the 32-bytes-long encryption key.

Finally, the new variant also uses a packer to make malware analysis more difficult.